Changeset 2a1ffd6 in mod_gnutls


Ignore:
Timestamp:
May 31, 2016, 1:12:53 PM (2 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, master, upstream
Children:
64856fd
Parents:
d35b98e
Message:

Move trust list generation for OCSP to a separate function

The new function is supposed be used during server configuration
later, instead of recreating the trust list every time an OCSP
response is checked.

Location:
src
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_ocsp.c

    rd35b98e r2a1ffd6  
    8686        return GNUTLS_E_NO_CERTIFICATE_FOUND;
    8787    }
    88     gnutls_x509_trust_list_t issuer;
    89     int ret = gnutls_x509_trust_list_init(&issuer, 1);
    90     if (ret != GNUTLS_E_SUCCESS)
    91     {
    92         ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
    93                       "Could not create issuer trust list: %s (%d)",
    94                       gnutls_strerror(ret), ret);
    95         goto trust_cleanup;
    96     }
     88
    9789    /* Only the direct issuer may sign the OCSP response or an OCSP
    9890     * signer. Assuming the certificate file is properly ordered, it
    9991     * should be the one directly after the server's. */
    100     ret = gnutls_x509_trust_list_add_cas(issuer,
     92    gnutls_x509_trust_list_t issuer;
     93    int ret = mgs_create_ocsp_trust_list(&issuer,
    10194                                         &(ctxt->sc->certs_x509_crt_chain[1]),
    102                                          1, 0);
    103     if (ret != 1)
    104     {
    105         ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
    106                       "Could not populate issuer trust list.");
    107         ret = GNUTLS_E_CERTIFICATE_ERROR;
    108         goto trust_cleanup;
     95                                         1);
     96    if (ret != GNUTLS_E_SUCCESS)
     97    {
     98        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
     99                      "Could not create issuer trust list: %s (%d)",
     100                      gnutls_strerror(ret), ret);
     101        return ret;
    109102    }
    110103
     
    205198            ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_EGENERAL, ctxt->c,
    206199                          "OCSP response has expired at %s!", date_str);
     200            /* Do not send a stale response */
    207201            ret = GNUTLS_E_OCSP_RESPONSE_ERROR;
    208202            goto resp_cleanup;
     
    229223 resp_cleanup:
    230224    gnutls_ocsp_resp_deinit(resp);
    231  trust_cleanup:
    232225    /* deinit trust list, but not the certificates */
    233226    gnutls_x509_trust_list_deinit(issuer, 0);
     
    265258    return GNUTLS_E_NO_CERTIFICATE_STATUS;
    266259}
     260
     261
     262
     263int mgs_create_ocsp_trust_list(gnutls_x509_trust_list_t *tl,
     264                               const gnutls_x509_crt_t *chain,
     265                               const int num)
     266{
     267    int added = 0;
     268    int ret = gnutls_x509_trust_list_init(tl, num);
     269
     270    if (ret == GNUTLS_E_SUCCESS)
     271        added = gnutls_x509_trust_list_add_cas(*tl, chain, num, 0);
     272
     273    if (added != num)
     274        ret = GNUTLS_E_CERTIFICATE_ERROR;
     275
     276    /* Clean up trust list in case of error */
     277    if (ret != GNUTLS_E_SUCCESS)
     278        gnutls_x509_trust_list_deinit(*tl, 0);
     279
     280    return ret;
     281}
  • src/gnutls_ocsp.h

    rd35b98e r2a1ffd6  
    1919
    2020#include "gnutls/gnutls.h"
     21#include "gnutls/x509.h"
    2122#include "httpd.h"
    2223#include "http_config.h"
     
    2627                                         const char *arg);
    2728
     29/*
     30 * Create a trust list from a certificate chain (one or more
     31 * certificates).
     32 *
     33 * tl: This trust list will be initialized and filled with the
     34 * specified certificate(s)
     35 *
     36 * chain: certificate chain, must contain at least num certifictes
     37 *
     38 * num: number of certificates to load from chain
     39 *
     40 * Chain is supposed to be static (the trust chain of the server
     41 * certificate), so when gnutls_x509_trust_list_deinit() is called on
     42 * tl later, the "all" parameter should be zero.
     43 *
     44 * Returns GNUTLS_E_SUCCESS or a GnuTLS error code. In case of error
     45 * tl will be uninitialized.
     46 */
     47int mgs_create_ocsp_trust_list(gnutls_x509_trust_list_t *tl,
     48                               const gnutls_x509_crt_t *chain,
     49                               const int num);
     50
    2851int mgs_get_ocsp_response(gnutls_session_t session, void *ptr,
    2952                          gnutls_datum_t *ocsp_response);
Note: See TracChangeset for help on using the changeset viewer.